~ My CCIE Wireless Journey & More…..

Autonomous AP with External RADIUS

In this post we will see how to confiugre an Autonomous AP to authenticate users with external RADIUS server. I have used ACS v5.2 as my RADIUS Server. 1142N access point with IOS image c1140-k9w7-mx.124-25d.JA used for this exercise. Here is basic topology for the post.

Here is the basic configuration of AP with open authentication & Switch. You need to make sure this configuration is working before proceeding to the RADIUS configuration. I used only Radio 1(5GHz) for simplicity.

When configuring RADIUS for any IOS device, here are the 3 steps you needs to follow.

1. Define the RADIUS server/or servers.
2. Create a RADIUS Server Group (listing defined servers).
3. Create a method-list, that points to the RADIUS group created.

When working with the RADIUS, you could be easily locked yourself out unless you do the required configuration 100% correct. Therefore always good practice to have a safe way of accessing the IOS device, even if you made a mistake. So before starting rest of the configuration we will configure Console Line not to do any authentications.

line con 0
no login authentication

First command to enter is “aaa new-model“. Then you can define the radius server configuration as shown below. I have used “Cisco123” as shared key & timeout value of 10s (by default 5s)

A1142-1(config)#radius-server ?
accounting Accounting information configuration
attribute Customize selected radius attributes
authorization Authorization processing information
backoff Retry backoff pattern(Default is retransmits with
constant delay)
cache AAA auth cache default server group
challenge-noecho Data echoing to screen is disabled during
Access-Challenge
configure-nas Attempt to upload static routes and IP pools at startup
dead-criteria Set the criteria used to decide when a radius server is
marked dead
deadtime Time to stop using a server that doesn't respond
directed-request Allow user to specify radius server to use with `@server'
domain-stripping Strip the domain from the username
host Specify a RADIUS server
key encryption key shared with the radius servers
local Configure local RADIUS server
optional-passwords The first RADIUS request can be made without requesting a
password
retransmit Specify the number of retries to active server
retry Specify how the next packet is sent after timeout.
source-ports source ports used for sending out RADIUS requests
timeout Time to wait for a RADIUS server to reply
transaction Specify per-transaction parameters
unique-ident Higher order bits of Acct-Session-Id
vsa Vendor specific attribute configuration
radius-server host 192.168.100.2 auth-port 1812 acct-port 1813 keyCisco123 1D5A5E57
radius-server timeout10

As a 2nd Step, you can define the RADIUS server group & then list the server you defined. I have used “RAD_GRP” as my RADIUS group name.

As final step, you can define method lists & pointing it to the RADIUS group you defined & apply it to a WLAN (or SSID) created. Method List name “EAP_MTD” used in my example. Additionally I have configured WPA2/AES for added security.

That’s pretty much the configuration on the AP itself. You have to configure ACS5.2. In ACS you have to configure the shared secret for this AP. Either you can individually configure each NAS devices or you can configure a Default Network Device which will be applicable to any device connecting to ACS. I have used default device method.

Then make sure you have created a Username/Password for testing. In my example I have used local user (test/test123) within ACS. Also if you want to do EAP-TLS make sure you installed necessary certificates on ACS & Test Client (not explain in this post) & they are correctly listed in Certificate Authority Section.

For TLS to work you need to have certificates installed & TLS request pointing to the Identity Store created for TLS.

I have defined an Identity Store for all EAP-TLS requests.

Then I have defined a custom attribute named NAS-IP & called “NAS-IP-Address” attribute in RADIUS-IETF dictionary.For simple scenario like our case, we can use default permit rule without any custom policy, but if you want to do some filtering based on RADIUS request coming from this NAS IP, then this method is very useful.

Next to make sure all required protocol is permitted though ACS. (Access Policies -> Default Network Access -> Allowed Protocols)

In the Access Policies -> Default Network Access -> Identity section, you have to specify if the request is EAP-TLS, use the Identity Store defined for TLS. By default all request go to Internal Users Identity Store. So I have created a rule based selection to pointing all TLS to go for “CCIE-TLS-Internal” identity store created in a previous step.

Then you can create a policy by adding the custom attribute created (NAS-IP) in to Custom Condition. You can do this by hitting “Customize” button under Access Policies -> Default Network Access -> Authorization section. (Some other attributes aslo shown, but not relevant to this example)

In ACS as well you can monitor the successful authentications of these clients. Here is the “Monitoring & Reports -> Launching Monitoring & Report Viewer-> RADIUS Authentication” results.

If you want to look details you can click the “Magnify Glass” icon. This is the best way of troubleshooting if clients connection is not successful. It will give the failure reason & you be directed to the right direction in troubleshooting. Here is a part of PEAP authentication came from my iPhone5 client.

Hope this is useful for anyone wanted to play with an Autonomous AP & external RADIUS for authentication.